Facebook has another privacy headache to contend with.
The company reveals that millions of Facebook users had their passwords stored in plain text and searchable by Facebook personnel, going back to 2012. Facebook said the discovery was made in January as part of a routine security review.
In a statement, Pedro Canahuati, Facebook’s vice president of Engineering, Security and Privacy, said the passwords were not accessible by the general public and there is no evidence that Facebook employees abused their access. He said the issue has been fixed and that affected users will be hearing from Facebook.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” Canahuati said.
Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
The technology blog KrebsOnSecurity cites a source as saying as many as 20,000 Facebook employees may have access to the unencrypted passwords. The company says there is no evidence any employee intentionally searched for a user’s password.
Krebs says Facebook is conducting an internal investigation of “a series of security glitches” in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
This news comes at a bad time for Facebook. Just last week, the New York Times reported that the Justice Department is looking into data deals Facebook has worked out with some of the world’s largest tech companies.
Canahuati said the password issue came to light because it ran counter to company policy. He says best security practices require the masking of user passwords when they create an account so that no one at the company can see them.
“In security terms, we ‘hash’ and ‘salt’ the passwords, including using a function called ‘scrypt’ as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters,” Canahuati said. “With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.”
While no password reset is required, Canahuati says users may change their passwords by going to “settings” on Facebook and Instagram.